The GDPR gives every citizen the right to information. However, this right is often very difficult for companies to implement. Before you begin to answer the request, you must first verify the identity of the person concerned. This is important because it must be determined whether the person is at all entitled to be informed about this data.
This raises the question of how to verify the identity of the person concerned?
One possibility would be to ask for a copy of a passport, but this route also involves risks. If a person from whom you have not stored your data is inquired, sending the ID card copy will store sensitive personal information in your system. In addition, it is also difficult to determine whether the ID card is fake or not.
Another way to check the identity would be a videoconference in which the person holding his ID in the camera. This process does not store any sensitive personal data, but the time involved is very high. It must be expected, however, that many who want information about their data, the technical conditions do not bring to make a video chat. These persons also have a right to information.
The identity must be checked! If you do not do that, there is a risk that data will be passed on to unauthorized persons. The result would be a data breach. This not only costs the company money, it also damages the reputation of the company.
Lokalizing the data
Once the identity of the data subject has been established, the data must be located in the various systems. Each company uses several systems (eg marketing, sales, payroll, accounting, etc.) and all these systems now need to be read out. In addition, for data protection reasons, not every employee may have access to any system. As a result, several employees are immediately looking at what data about the data subject is stored in the company.
This may then take several hours to work.
But what to do if there is a flood of inquiries about your business? How quickly this can happen was shown by Austrian Post. A report in the media has already been enough to overwhelm the Austrian Post AG with data subjects.
That’s why you should be prepared for such an incident. With easyGDPR you can automate your queries and thus minimize your effort. The person concerned simply completes a form specifying the email address, phone number, etc., and the system then checks the specified data. Once the identity has been determined, the relevant data is automatically read from the various systems, a response is generated and sent to the appropriate employee for control. He takes a look at the requested data and sends it to the affected person.
It can be that easy if you rely on the right system! With easyGDPR Affected Requests your business is prepared.
Die we spark your interest or do you have further questions? Then contact us!
Current case from hungary
In Hungary, a data subject requested access to documents relating to a dispute, and in addition, as evidence of litigation, also wanted to have copies of the video from surveillance cameras. However, the company has rejected this because the recordings would not support the claims of the person concerned. The company was subsequently fined € 3,135.00 by the Hungarian Data Protection Authority for violating the data subject’s right of access. The amount of the penalty in this case amounts to 6.5% of the annual income of the company.